Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets

LockBit ransomware attacks are constantly evolving by making use
of a wide range of techniques to infect targets while also taking
steps to disable endpoint security solutions.

“The affiliates that use LockBit’s services conduct their
attacks according to their preference and use different tools and
techniques to achieve their goal,” Cybereason security analysts
Loïc Castel and Gal Romano said^[1]. “As the attack
progresses further along the kill chain, the activities from
different cases tend to converge to similar activities.”

LockBit, which operates on a ransomware-as-a-service (RaaS)
model like most groups, was first observed in September 2019 and
has since emerged as the most dominant ransomware strain this year,
surpassing other well-known groups like Conti^[2], Hive^[3], and BlackCat^[4].

This involves the malware authors licensing access to
affiliates, who execute the attacks in exchange for using their
tools and infrastructure and earn as much as 80% of each successful
ransom payment received from the victims.

LockBit also utilizes the popular technique of double extortion
to exfiltrate vast amounts of data prior to encrypting the assets
of the target, netting the cybercriminal syndicate no fewer than
850 victims on its data leak site as of May 2022.

Attack Life Cycle – Case Study 1

Attack Life Cycle – Case Study 2

According to a leak site data analysis^[5]
by Palo Alto Networks Unit 42, LockBit accounted for 46% of all
ransomware-related breach events for the first quarter of 2022. In
June alone, the group has been tied to 44 attacks^[6], making it the most
active ransomware strain.

LockBit ransomware attacks are known to employ several avenues
for initial infection: Exploiting publicly-exposed RDP ports,
relying on phishing emails to download malicious payloads, or
leveraging unpatched server flaws that allow the affiliates to gain
remote access to the targeted network.

Following this step are reconnaissance and credential theft
activities, which enable the actors to move laterally across the
network, establish persistence, escalate privileges, and launch the
ransomware. This is also accompanied by running commands to delete
backups and subvert detection by firewalls and antivirus
software.

In the three years since LockBit appeared on the scene, the RaaS
scheme has received two notable upgrades, with the threat actors
debuting LockBit 2.0 in June 2021 and launching the third
installment of the service, LockBit 3.0^[7], last month with support
for Zcash cryptocurrency payment options and a bug bounty program —
the first for a ransomware group.

The initiative claims to offer rewards of up to $1 million for
finding security blind spots in its website and locker software,
submitting brilliant ideas, doxing the head of the gang’s affiliate
program, or identifying ways that could expose the IP of the server
hosting the website on the TOR network.

The bug bounty program is yet another sign that hacker groups
are increasingly functioning as legitimate IT enterprises^[8], incorporating HR
departments, regular feature releases, and even bonuses for solving
challenging problems.

However, indications are that LockBit 3.0, also called LockBit
Black, is inspired by another ransomware family known as BlackMatter^[9], a rebranded version of
DarkSide that shuttered in November 2021.

“Large portions of the code are ripped straight from
BlackMatter/Darkside,” Emsisoft researcher Fabian Wosar said^[10] in a tweet earlier this
week. “Guess it is clear that LockBit got their dirty hands on
another group’s code.”